🌟Vasilij’s note
This week I connected Claude Cowork straight to Postiz, our social scheduler, and watched it turn a video I'd already made into a drafted LinkedIn post in under a minute. No workflow canvas, no nodes - just an agent talking to a tool over MCP. Good news for anyone doing their own marketing between fee-earning hours. But the same week, Sysdig published the first documented case of a ransomware operation run end-to-end by an LLM agent, with no human touching the keyboard after launch. Same underlying capability - an agent that can act on a connected system without supervision - doing genuinely useful work in one case and genuinely serious damage in the other. The difference wasn't the model. It was the guardrails someone did or didn't put around it. That's the thread running through this whole edition.
In today's edition
This week in agents | What changed
Gartner projects 40% of enterprise applications will carry embedded agents by the end of 2026, up from under 5% in 2025 - and governance isn't keeping pace.
The latest Technology Radar update frames this as the defining signal of the month: agents have left the pilot stage and entered production, but the accountability question (who answers for it when the agent gets something wrong) is largely unanswered. → For consultancies advising clients on AI rollouts, "have you decided who owns an agent's mistakes" is now a more useful diagnostic question than "which model are you using."
Anthropic's Claude is now available as a selectable model inside Microsoft 365 Copilot Chat
Giving Copilot users the option to run Claude for document analysis, structured content, and multi-step planning without leaving the Microsoft stack. → If your firm already licenses Copilot, this is Claude arriving on infrastructure you're already paying for - worth testing on the exact workflows you've been routing to a separate tool
Sysdig documents JADEPUFFER, the first fully agentic ransomware operation run end-to-end by an LLM with no human at the keyboard.
The agent chained reconnaissance, credential theft, lateral movement and database destruction into over 600 purposeful payloads, correcting a failed login and redeploying a fix in 31 seconds - a speed no human operator matches. It got in through an exposed, unpatched Langflow instance. → Any client running self-hosted agent tooling or exposed MCP servers needs a patch-and-network-exposure review this month, not next quarter.
Top moves | Signal → impact
Microsoft folds Copilot into Business Standard and Business Premium as a permanent bundle, effective 1 July
Instead of paying a separate add-on, firms on the new SKUs get Copilot built into Word, Excel, Outlook and Teams for $23.50 and $32 per user per month respectively - a saving of roughly a third versus buying the add-on separately for a typical Business Premium seat. → Re-run your Copilot business case this month. If you've been holding off because of the add-on cost, that line item has just changed, and a permissions and data-access review should be the first step before switching anyone on.
The EU AI Act's remaining obligations become fully applicable on 2 August 2026
Activating rules for general-purpose and high-risk AI systems, including any AI used to screen or evaluate candidates. → If you have EU clients, EU staff, or hiring workflows that touch EU candidates, inventory every AI tool involved this month and get each vendor's compliance status in writing - "we're still testing it" won't hold up as a defence after 2 August.
The accountancy profession moves from ad hoc AI use to formal written policy.
The AICPA's professional liability guidance this month tells firms to define what "generative AI" means for their practice, maintain an approved-tools list, and require human review before any AI-assisted output touches a client deliverable - tax filings and financial statement opinions specifically named. → Any consultancy advising accountancy or advisory clients on AI adoption now has a concrete governance template to work from, and a reason to check whether your own firm has the same policy in writing.
Maker note | What I built this week
This week I wired Claude Cowork to Postiz's MCP server and asked it to turn last week's Nebius/GLM-5.2 video into one LinkedIn post for the company page, scheduled as a draft.
Decision: keeping the draft-then-approve gate as a hard rule, not a nice-to-have, because the first time an odd line goes out under the firm's name with nobody having read it first, trust in the whole automation evaporates.
Upskilling spotlight | Learn this week
Claude Custom Connectors guide (Anthropic)
Walks through adding any remote MCP server as a custom connector in Claude or Cowork, including the security notice on granting a third-party service access to act on your behalf. Outcome: understand exactly what permissions you're handing an agent before you point it at a live business tool.
Sysdig's JADEPUFFER research writeup
Full indicators of compromise and defensive recommendations from the first documented agentic ransomware case. Outcome: a concrete checklist for hardening any internet-facing agent framework (Langflow or otherwise) before an autonomous attacker finds it first.
Operator’s picks | Tools to try
Postiz (cloud)
Use for: connecting Claude Cowork directly to your LinkedIn and social calendar via MCP, no workflow builder required.
Standout: exposes tool calls (list channels, draft, schedule) that an agent can call natively, and everything lands as a draft by default rather than publishing live.
Postiz (self-hosted, AGPL-3.0)
Use for: firms in regulated segments - law, insolvency, financial advice - where client mentions and drafts can't sit on a third-party cloud.
Caveat: you take on the hosting and maintenance overhead that the cloud tier handles for you.
Claude custom connectors
Use for: wiring any MCP endpoint - Postiz or otherwise - into an agent workflow from Settings, no code required.
Pair with: a written approval step before anything is allowed to auto-publish, per this week's JADEPUFFER lesson on unsupervised agent access.
Deep dive | Thesis & Playbook
Your Firm's LinkedIn, Run by an Agent - No Code, and You Can Own the Data
Most consultancies under 250 staff have no dedicated marketer. Posting is whoever has a spare hour, which usually means it's late, inconsistent, or simply doesn't happen. Model Context Protocol has now made it genuinely trivial for an AI agent to drive a social scheduler directly - which changes the calculus on whether "we should really be more consistent on LinkedIn" ever gets acted on.
On paper
Postiz is an open-source social scheduler covering 30+ networks, with a built-in AI assistant and around 30,000 GitHub stars.
It exposes an MCP server, so Claude Cowork can list channels, draft posts and schedule them directly - no separate automation platform in between.
It's fully self-hostable under AGPL-3.0, meaning a firm can run its own instance and keep drafts and client mentions off a third-party cloud entirely.
Setup is a three-step, roughly five-minute job: connect a channel on Postiz, copy the MCP link from the API settings, paste it into a Claude custom connector.
In practice
Once connected, the loop is short: give Cowork a piece of content you've already made (a video transcript, a case note), ask for one post in your voice, and it drafts and schedules it - not publishes it - inside Postiz.
The agent doesn't invent opinions; it pulls a specific point out of whatever source material it's given, which removes the blank-page problem that usually kills posting consistency.
The one-time setup is the only manual step. After that, scaling is just repeating the same request each time you publish something new.
Cloud Postiz means drafts and any client references pass through a third-party server before you approve them; self-hosting removes that step but adds ongoing infrastructure ownership.
Issues/backlash
Renting a shared API is not the same as running your own isolated instance - firms in regulated segments (law, insolvency, financial advice) should treat "we use an AI scheduler" and "we self-host it" as two different governance answers, not interchangeable ones.
This week's JADEPUFFER research is a pointed reminder that any internet-facing agent framework - including a self-hosted Postiz instance or an exposed MCP endpoint - is now a target an autonomous agent can find and exploit without a skilled human behind it.
Approval fatigue is real: if the draft step becomes a rubber stamp rather than an actual read, the safety benefit disappears even though the workflow looks unchanged from the outside.
My take (what to do)
Startup (15-40 staff): Connect Postiz's free tier and Claude Cowork this week, and turn one thing you've already made - a video, a case note - into one approved LinkedIn post. That's roughly 10 minutes of partner time recovered every time you'd otherwise have written a post from scratch.
SMB (50-120 staff): Assign one person as the "content ops" owner. Standardise two or three themes before automating anything, connect the MCP integration once, and require every draft to be read and approved by a named person before it publishes - not a rotating duty nobody actually does.
Enterprise (150-250 staff): If you're in a regulated segment, move to self-hosted Postiz so client mentions never leave your infrastructure, and treat the MCP connector like any other write-access integration - it goes through the same security review as a CRM or email connector, with an audit log of every scheduled post.
How to try (15-minute path)
Create a free Postiz account, connect your LinkedIn company page, and copy your MCP link from Settings → Developers → Public API (5 min)
In Claude, add it as a custom connector under Settings → Connectors → Add custom connector, then ask Cowork to "list my connected Postiz channels" to confirm it's live (5 min)
Give it one recent piece of content and ask for a single LinkedIn post, scheduled as a draft.(5 min)
Success metric: you read it, approve it, and it took under a minute.
"The model closed loops that used to require a skilled human."
Spotlight tool | Postiz
Purpose: an open-source, self-hostable social media scheduler built to be driven by an AI agent rather than a human clicking through a dashboard.
Edge: exposes an MCP server so Claude Cowork can list channels, draft posts and schedule them natively - and everything lands as a draft, not a live publish, by default.
→ 30+ network coverage
→ MCP-native agent control
→ Self-hostable under AGPL-3.0 for firms that need client data to stay in-house
Try it: Postiz
What did you think of today's issue?
Did you find it useful? Or have questions? Please drop me a note., I respond to all emails. Simply reply to the newsletter or email [email protected].
This issue’s sponsor
n8n
An open‑source automation platform that lets you chain tools like DeepSeek, OpenAI, Gemini and your existing SaaS into real business workflows without paying per step. Ideal as the backbone for your first serious AI automations.

Refer and win
Share this newsletter for a chance to win!

